How Irish CISOs can secure supply chains from growing cyber threats

Supply chain vulnerabilities have been exposed a lot more in the past year and a half. There is a need to reimagine supply chain strategies.

If there is one part of the cyber threat landscape that has evolved significantly in the past year and a half and in need of greater resilience, it is the supply chain. The COVID-19 outbreak bared the vulnerabilities of supply chains. It led Ireland’s Chief Information Security Officers (CISOs) and heads of supply chain to reimagine supply chain strategies from a cyber risk perspective to prevent similar disruptions in future.

The EY Ireland Global Information Security Survey (GISS) 2021 finds that the supply chain presents considerable danger as a fourth or fifth party may be several times removed from the organisation, but it could still pose a cybersecurity risk. However, more than two-thirds (70%) of the Irish respondents say they are confident they can ensure their entire supply chain is water-tight in its ability to defend and recover against threat actors.

Alan Dickson, EY Ireland Director, Consulting and Procurement and Supply Chain, talks about the need to develop a robust third-party risk management process and diversify supplier network.

Q. What are the imminent cybersecurity risks to Ireland’s supply chain in the coming six months to a year?

A. Multiple well documented and discussed risks will continue to feature. From a cybersecurity perspective, disruption to various processes involved in the movement of goods in Ireland is especially a concern, given the introduction of new regulatory systems when dealing with the UK. These include customs formalities including customs declarations, routine customs checks, payment of customs duties.

Q. How different should the risk approach be for Irish supply chains compared to the organisation’s overall risk management plan?

A. The supply chain cyber risk approach should be part of the organisation’s overall risk management plan. An organisation’s supply chain is integral to its operations and, therefore, the risk approach must be holistic. This is of particular relevance in Ireland, where many constituent components are imported. In any business, a shutdown or operational delay will have a downstream impact on contractual commitments. Liquidated damages form a standard part of many contracts. So aside from reputational impact, there is a tangible financial penalty for non-conformity to contractual terms.

Q. As increased cloud technology adoption and virtual servers lead to more breaches, what steps need to be taken from a technology perspective to make the Irish supply chains more secure?

Q. What should be the key elements of a robust vendor or third-party risk management plan to build more cyber resilience into Irish supply chains?

A. Vendor due diligence is of paramount importance to manage third-party risk. This will provide valuable insight into beneficial ownership, debt, projected growth, and product quality. Screening for sanctions and negative news media, among other aspects, must also be considered. This allows supply chain owners to make informed decisions on partnering with a vendor. Stability of potential vendors and their associated cyber infrastructure must be established to mitigate this risk vector.

Another key area of focus is sustainability. Sustainability within the context of supply chain speaks to the integration of ethical and environmentally conscious practices. This gives a firm grounding through end-to-end supply chain transparency, helping Irish supply chains understand constituent materials and sources. This, in turn, highlights potential areas of failure and therefore risk. Irish supply chains must begin to manage suppliers over the whole lifecycle of a product or service.

Q. What controls can be put in place to plug zero-day vulnerabilities in Ireland’s supply chains?

Q. Whose responsibility in organisations should it be to secure supply chains? How can Irish CISOs help build a more collaborative approach?

A. The supply chain is an integral part of the organisation’s operations and disruption will create a negative customer experience. Thus, it is the responsibility of all members of the organisation to utilise their training and best practice in this regard. Positive steps to establish supply chain stability may include:

Typically, the supply chain team or warehousing team are expected to manage the supply chain in isolation. However, all channels by which the organisation obtains data on the supply chains must be considered when securing the supply chain.